Perception vs. Reality

Energy companies are evolving their cybersecurity strategies, but most companies still view cyberattacks as a "black box."

We recently surveyed 2,000 security executives at large, global enterprises and found that about one in three focused, targeted breach attempts succeeded.

In oil and gas, 60 percent of executives saw cyberattacks as a bit of a "black box."

Still, 75 percent of respondents were “confident” they were doing the right things with their security strategies, and a similar number said security is “completely embedded” in their cultures, with support from the highest-level executives.

Clearly, there’s a disconnect.

Surviving in this increasingly risky environment requires a cybersecurity “re-boot” to embrace an end-to-end approach that recognizes a spectrum of threats across the information technology (IT) and operational technology (OT) environments, minimizes exposure and identifies high-priority assets. In particular, oil and gas businesses must expand their cybersecurity strategies to include operational technology and invest in advanced analytics, incident management programs and ongoing testing focused on protecting core operations. This takes a few fundamental steps.

Oil and gas companies should invest in analytics, cyber incident management and continuous testing to crack the cybersecurity black box.

Define Success

To reframe their cybersecurity perspectives and establish a new definition of success, oil and gas organizations need to understand what is happening on their IT and OT networks.

Start by answering several critical questions:

Have we identified all priority business data assets and their locations?

Can we defend the company from a motivated adversary?

What are the potential ramifications of a successful cyberattack in terms of environmental, health, safety and productivity?

Do we have the tools and techniques to react and respond to a targeted attack?

Do we know what adversaries really want and what we really want to protect?

Where should we make our cybersecurity investments based on potential risk?

How often do we “practice” our plan to improve our responsiveness?

Are we using the data and other outputs from our cybersecurity strategy to improve our program over time?

We believe energy security organizations need to better align their strategies with business imperatives. While many organizations are making progress in compliance and risk management, security programs must continue to improve detection and prevention of more advanced attack scenarios.

Through investments in improved cybersecurity analytics, incident management programs, and testing for OT and IT networks, energy companies can better protect their core operations.

Make security everyone’s job

Organizations should make cybersecurity an organizational mindset—one capable of continually evolving and adapting to changing threats.

To foster a culture of cybersecurity and move closer to a state of digital trust, organizations should emphasize an adaptive, evolutionary approach to addressing all aspects of security on an ongoing basis.

This means investing in education and training for IT and OT staff alike so that they can step out of their comfort zones and collaborate across the organization.

Together, they can help devise security strategies that make sense in both business and operational contexts, while encouraging deeper engagements with enterprise leadership on a day-to-day basis. Doing so requires IT to speak the language of OT, and vice versa.

Reboot your approach

See the results of our global survey for the Energy industry, and learn what must be done.

Define cybersecurity success

Improve alignment of cybersecurity strategies with business imperatives, and improve ability to detect and prohibit more advanced attacks.

Pressure-test security capabilities

Engage "white-hat" external hackers for attack simulations to establish a realistic assessment of internal capabilities—across IT and OT environments.

Protect from the inside out

Prioritize protection of the organization’s key assets (including industrial control systems) and focus on the internal incursions with greatest potential impact.

Already applied to a job?

Sign in with e-mail and password

Validation summary

Invalid username / password

Or sign in with LinkedIn

There is already a separate, active Accenture Careers account with the same email address as your LinkedIn account email address. Please try logging in with your registered email address and password. You can then update your LinkedIn sign-in connection through the Edit Profile section.

There is already a separate, active account tied to your LinkedIn profile. Please continue registration for this program without your LinkedIn profile or use a different LinkedIn account or email address.